#563 Automatic MUC kicks on stream errors can reveal domains in semi-anonymous rooms

Reporter xnyhps
Owner MattJ
Created
Updated
Stars ★★ (3)
Tags
  • Priority-High
  • Status-Fixed
  • Milestone-0.11
  • Security
  • MUC
  • Type-Defect
  1. xnyhps on

    When a stream error is returned when trying to route a stanza to a MUC participant, the text of the stream error is copied literally to the MUC as the reason for the kick: https://hg.prosody.im/0.9/file/5a60b4705bc3/plugins/muc/muc.lib.lua#l252 However, the stream error can contain the domain. For example, Prosody itself will include the domain when closing a stream with host-unknown: https://hg.prosody.im/0.9/file/5a60b4705bc3/plugins/mod_s2s/mod_s2s.lua#l324 This leads to error messages such as: User has left the chatroom (Kicked: remote server not found: Server-to-server connection failed: host-unknown (This host does not serve example.com)) This is a leak if the room is semi-anonymous.

  2. Zash on

    Un-hiding because we don't think this is exploitable.

    Changes
    • tag -Hidden
    • tag MUC
    • tag Status-Accepted
  3. xnyhps on

    The s2s_secure_auth setting creates the same problem as host-unknown: User has left the chatroom (Kicked: remote server not found: Server-to-server connection failed: not-authorized (Your server's certificate is invalid, expired, or not trusted by example.com))

  4. Zash on

    Typo :)

    Changes
    • title Autmatic MUC kicks on stream errors can reveal domains in semi-anonymous rooms Automatic MUC kicks on stream errors can reveal domains in semi-anonymous rooms
  5. MattJ on

    Changes
    • tags Milestone-0.11
  6. MattJ on

    Proposed patch: diff -r 4aa786a180f5 plugins/muc/muc.lib.lua --- a/plugins/muc/muc.lib.lua Mon Aug 06 15:26:33 2018 +0100 +++ b/plugins/muc/muc.lib.lua Tue Aug 07 12:39:09 2018 +0100 @@ -361,8 +361,8 @@ local occupant = self:get_occupant_by_real_jid(real_jid); if occupant == nil then return nil; end local type, condition, text = stanza:get_error(); - local error_message = "Kicked: "..(condition and condition:gsub("%-", " ") or "presence error"); - if text then + local error_message = "Error: "..(condition and condition:gsub("%-", " ") or "presence error"); + if text and room:get_whois() == "anyone" then error_message = error_message..": "..text; end occupant:set_session(real_jid, st.presence({type="unavailable"})

  7. MattJ on

    Fixed in 51c5dd7a8ab9

    Changes
    • tags Status-Fixed
    • owner MattJ

New comment

Not published. Used for spam prevention and optional update notifications.